DATA PROTECTION INFORMATION FOR CUSTOMERS, INTERESTED PARTIES AND
SERVICE PROVIDERS OF DUO PLAST AG
As of: February 2022
In accordance with the provisions of Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR), we are hereby informing you of the processing of the personal data collected about you and your rights as the data subject. The specific data which is processed and the way in which it is used depends largely on the requested or agreed services. In order to ensure that you are fully informed about the processing of your personal data in the context of the performance of a contract or in order to take steps prior to entering into a contract, please take note of the information below.
The controller responsible for data processing within the meaning of data protection law is:
DUO PLAST AG
36341 Lauterbach, Germany
Tel.: +49 6641 6550-0
Fax: +49 6641 61713
Contact data: Datenschutz@duoplast.ag
We process personal data that we receive from you as part of our business relationship. In addition, we process personal data that we have obtained from publicly accessible sources (e.g. the Internet, commercial and association registers, press/media, directories, address data service providers and inquiry agencies) and are allowed to process.
Relevant personal data for customers who take part in business transactions as natural persons comprises their first names, last names, address/company address, contact details such as telephone and/or email, profession/industry and comparable data, as well as data that we collect in the course of the business relationship or the performance of a contract. Contract data includes revenues, goods movements, financial data (including creditworthiness data) as well as written documentation data (contracts, orders, permits, etc.), information on your operating equipment (machine type), data on the fulfilment of customs regulations (supplier declaration), control data, customer history data, purchasing behaviour and competition data.
We process the personal data of the employees of all business partners. This includes contact data and other data (e.g. email, faxes, letters, photos — if provided — and other personal information exchanged in the course of the business relationship).
For other business partners, such as EDP services, licenses, consultation services, educational institutes, maintenance, tradesmen, cleaning, we also process supplier data/creditor data, e.g. contract master data or billing and control data. If a business relationship does not exists, we process the contact data and competition information of potential customers.
For events organised by us, we also use the registration data (including any employee data) as well as permissible visual documentation (e.g. presentations, images, etc.).
You can find further details or additions to the purposes of data processing in the respective contract documents, forms, declarations of consent and/or other information provided to you (e.g. as part of the use of our website or our Terms and Conditions).
Why we process your data and on which legal basis:
Your personal data will be processed in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and other relevant data protection regulations.
PURPOSES AND LEGAL BASIS ON WHICH WE PROCESS YOUR DATA
- For the performance of a contract or in order to take steps prior to entering into a contract in accordance with Art. 6 (1) (b) GDPR:
The processing (see Art. 4 No. 2 GDPR) of personal data takes place for the purpose of the performance of our contracts with you and the execution of your orders as well as in order to take steps to carry out activities prior to entering into a contract. This essentially includes contract-related communication with you, the verifiability of transactions, orders and other agreements as well as for quality control purposes through appropriate documentation, goodwill procedures, measures to control and optimise business processes as well as the fulfilment of general due diligence obligations, control and monitoring by affiliated companies (e.g. freight forwarders and service providers), statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, billing and tax assessment of operational services, the assertion of legal claims and defence in legal disputes, ensuring IT security (inter alia, system and plausibility tests) as well as general security, ensuring and exercising domiciliary rights (e.g. through access controls), ensuring integrity, authenticity and availability of the data, prevention and investigation of criminal offences; control by supervisory bodies or control bodies (e.g. audit). Furthermore, this also includes the receivables management via debt collection companies associated with contract processing. If you act as a (legal or organisational) representative of a business partner, we also consider the processing of your personal data (e.g. as invoice recipient, as system user, etc.) to be included in the purpose of the contract.
- As part of a balancing of interests in accordance with Article 6 (1) (f) GDPR:
Beyond the actual performance of the contract or preliminary contract, we may process your data if it is necessary to protect our legitimate interests or those of third parties, in particular for the following purposes:
To check and optimise processes for analysing the needs of our customers and addressing them directly, creating evaluations/statistics and using them for business management purposes and the further development of products and services as well as existing processes. This is for internal purposes.
To consult and exchange data with inquiry agencies (Verband der Vereine Creditreform e.V. in Neuss, EULER HERMES Deutschland in Hamburg, Atradius, Kreditversicherung Köln, KSV1870 Holding AG in Vienna, Austria, or other credit agencies) to determine creditworthiness or default risks within the framework of what is legally permissible and taking into account your legitimate interests in the exclusion of transmission or use.
We regularly check the creditworthiness of new customers upon the conclusion of contracts and the opening of accounts, as well as that of existing customers in certain cases where we have a legitimate interest in such. In order to do this, we work together with credit agencies, from which we receive the necessary data. On behalf of the above-mentioned inquiry agencies, we will inform you in advance of the following information pursuant to Art. 14 GDPR. These credit agencies operate databases in which credit information about you is stored. Information on creditworthiness is given to us on this basis. In particular, the name, address, date of birth, email address, if applicable, payment history and shareholdings of persons are stored in the database of the inquiry agencies.The purpose of processing the stored data is to provide information about the creditworthiness of the requested person. The legal basis for this processing is Art. 6 (1) (f) GDPR. Legitimate interests can lie in the initiation of a business relationship, instalment agreements, shareholdings, receivables, credit checks. The processing of the data stored by us takes place on the basis of compelling legitimate grounds. These lie in creditor and credit protection.
Furthermore, we process your data as part of our business relationship to secure receivables. For this purpose, we take out insurance to secure receivables. The following data about you will be transmitted to the insurer in the process: address, telephone number, email address, sales tax, customer number.
We process your address, telephone number and email address to enable optimal advertising communication. We also process data from your customer history (list of products purchased, special interests, etc.) for direct marketing purposes, which we use to inform you about suitable and attractive offers relating to our service portfolio, e.g. the sending of product information, offers and information regarding services or satisfaction surveys and to invite you to relevant events, such as the presentation of new products at trade fairs. We have an important legitimate interest in processing personal data for marketing purposes, in order to maintain or initiate a business relationship with you. You may object to this advertising approach.
In the case of press and other media representatives, we use address and communication data in the context of sending press and/or information material on the grounds of a legitimate interest.
In addition, we process personal data:
- for inclusion in our contact database, contact maintenance after business contact (e.g. after receiving your business card);
- for market and opinion research, unless you have objected to the use of your data;
- to enrich our data, inter alia, by using or researching publicly available data;
- for statistical evaluations or market analysis;
- for benchmarking;
- for the assertion of legal claims and defence in legal disputes that are not directly attributable to the contractual relationship;
- to the limited storage of the data if erasure is not possible or only possible with disproportionate effort due to the special type of storage;
- for the prevention and investigation of criminal offences, insofar as not exclusively for the fulfilment of legal requirements;
- for internal and external investigations or security reviews;
- to obtain and maintain certifications of a private or official nature;
- for building and system security (e.g. through access controls and video surveillance), insofar as this goes beyond the general duty of care;
- for IT and data security purposes;
- to ensure and exercise the domiciliary rights through appropriate measures as well as through video surveillance to protect our customers and employees as well as to secure evidence in the case of criminal offences and their prevention;
- for the administrative purposes of affiliated companies.
- On the basis of your consent pursuant to Art. 6 (1) (a) GDPR:
To the extent that you have granted us consent to process personal data for specific purposes, this consent is the legal basis for such processing. The details of the processing, such as the purposes and consequences of a withdrawal or the refusal of consent result from the respective declaration of consent. A consent granted can be withdrawn at any time by declaring such to the office named above, regardless of the time at which such consent was given. An email is sufficient in this regard. In principle, the withdrawal of consent is only effective for the future. Processing that took place before the withdrawal is not affected and remains lawful.
- On the basis of legal obligations pursuant to Art. 6 (1) (c) GDPR:
As with all companies in Germany, we are subject to a large number of legal regulations that require the processing and, in particular, the storage of your personal data. These are primarily legal requirements (e.g. commercial and tax laws), but also data protection, supervisory or other official requirements, which, for example, require the archiving of data for the purposes of data protection and data security as well as auditing by tax and other authorities. In addition, the disclosure of personal data as part of official/judicial measures for the purposes of gathering evidence, prosecution or enforcing civil claims and the prevention of threats (e.g. EU terror regulations or regulations for the prevention of fraud and money laundering) may become necessary.
You can find further details and supplements on the processing purposes in our contract documents, forms, declarations of consent and the other information made available to you (e.g. on the website or in the Terms and Conditions).
Who receives your data?
Within our company/affiliated companies, those departments or organisational units will have access that require your data to perform our contractual and legal obligations and legitimate interests.
Your data will only be passed on to external bodies:
- in connection with the performance of the contract;
- for the purpose of fulfilling legal requirements, according to which we are obligated to provide information, report or pass on data, or where the data transfer lies in the public interest (see Section 1);
- Examples of disclosures related to the points listed above are: authorities, inquiry agencies, debt collection companies, lawyers, tax consultants, auditors, courts, expert opinions, credit institutions, Group companies and committees and supervisory bodies;
- when external service companies process data on our behalf as processors (Art. 28 GDPR). These processors are companies in the categories of support/maintenance of EDP/IT applications, data centres, website programming and hosting, archiving, data destruction, logistics, printing services, telecommunications, marketing, data validation and data plausibility checks, customer management, letter shops, marketing, media technology, research, risk controlling, accounting, website management. With these service providers, your data is subject to the same security standards as with us. In other cases, recipients may only use the data for the purposes for which they were transmitted.
- We only pass on your data to third parties for their own use if and to the extent that consent has been granted or contractual and/or statutory regulations provide for such.
How long will your data be stored?
Subject to further processing grounds, we process your data for the duration of the business relationship with you or the business partner you represent (legal entities under public or private law). This also includes the initiation of a contract (legal relationship prior to entering into a contract) and the performance of a contract. In addition, we then store your personal data until the statute of limitations for any legal claims arising from our relationship with you has expired, in order to use them as evidence, if necessary. The limitation period is usually between 12 and 36 months, but can also be up to 30 years. When the statute of limitations begins, we will erase your personal data, unless a legal obligation of retention arises, for example, from the German Commercial Code (Sec. 238, 257 (4) [Handelsgesetzbuch, HGB]) or from the German Tax Code (Sec. 147 (3) and (4) [Abgabenordnung, AO]). The storage and documentation periods specified within are up to ten years after the end of the business relationship or legal relationship prior to entering into a contract.
If the data is no longer required for the fulfilment of contractual or legal obligations and rights, it is regularly erased, unless its further processing – for a limited period – is necessary to fulfil the purposes listed under section 2 for an overriding legitimate interest. Such an overriding legitimate interest also exists, for example, if erasure is not possible or only possible with disproportionate effort due to the special type of storage, and processing for other purposes is excluded by suitable technical and organisational measures.
Will your data be transferred to a third country or an international organisation?
Data is transferred to bodies in countries outside the European Union (EU) or the European Economic Area (EEA) if it is necessary for the performance of an order/contract, it is required by law (e.g. tax reporting obligations), it lies within the scope of our or a third party’s legitimate interests or you have given us your consent.
No data will be transmitted to international organisations.
Is there an obligation to provide data? As part of our business relationship, you only have to provide the personal data that is necessary for the establishment, performance and termination of the business relationship or that which we are legally obligated to collect. We cannot enter into or maintain the business relationship without the aforementioned data.
Do automated decision-making processes take place in individual cases?
We refrain from automated decisions in individual cases including profiling within the meaning of Art. 22 GDPR.
What rights do you have?
Every data subject has the right to information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, and the right to erasure in accordance with Art. 17 GDPR (unless other legal regulations (e.g. legal storage obligations or the restrictions of Sec. 35 BDSG) or an overriding interest on our part (e.g. to defend our rights and claims) do not oppose such). Furthermore, each data subject has the right to restriction of processing pursuant to Art. 18 GDPR and the right to data portability pursuant to Art. 20 GDPR. The restrictions according to Sec. 34 BDSG new version apply to the right to information and the right to erasure. In addition, you have a right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. However, we recommend that you always address a complaint to our data protection officer first.
According to Art. 21 GDPR, you have the right to object to the processing of personal data relating to yourself at any time for reasons arising from your particular situation, which is based on Art. 6 (1) (f) GDPR (data processing on the basis of a balance of interests).
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or where the processing serves to assert, exercise or defend legal claims.
If we process your data in order to operate direct advertising, you also have the right to object at any time to the processing of your personal data. If you object to the processing for direct advertising purposes, we will no longer process your personal data for these purposes.
In addition, you have the right to withdraw your consent to the processing of personal data at any time with effect for the future.
If possible, your requests to exercise your rights should be directed in writing to the address stated above or directly to our data protection officer.